[gs-bugs] [Bug 692234] Floating point exception with the x11cmyk device

bugzilla-daemon at ghostscript.com bugzilla-daemon at ghostscript.com
Tue Jun 28 22:58:55 UTC 2011


http://bugs.ghostscript.com/show_bug.cgi?id=692234

James Cloos <cloos at jhcloos.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |

--- Comment #9 from James Cloos <cloos at jhcloos.com> 2011-06-28 22:58:52 UTC ---
No, it does not address this bug.

It is easy to get false negatives when trying to reproduce this one.  The best
way to check is to run:

gdb --args ./language_switch/debugobj/pspcl6 -sDEVICE=x11cmyk
gs/examples/colorcir.ps

set a breakpoint with:

(gdb) b gx_render_device_DeviceN

run the test:

(gdb) run

when you hit the breakpoint, confirm that the device has four colours:

(gdb) p dev->color_info.num_components
$1 = 4

and the confirm that the pdht has only one component:

(gdb) p pdht->num_comp
$2 = 1

and the code still does:

    int num_colors = dev->color_info.num_components;

    for (i = 0; i < num_colors; i++) {
        unsigned long hsize = pdht ?
                (unsigned) pdht->components[i].corder.num_levels
                : 1;

and therefore still dereferences array elements which are not defined.

Should pdht->components[i].corder.num_levels, i>0 happen to hit memory which
has been initialized to non-zero values there is no division by zero, but that
is just blind luck.

The code still falsely assumes that there will be (at least) as many entries in
the pdht->components[] array (which is counted by pdht->num_comp) as the device
has colours.  But pdht always seems to have a single component.

Any cmyk device with less than eight bits per colour will do; the bug is not
limited to the x11cmyk devices.  (The eight bit per colour devices do not call
this function, nor do RGB devices.  I suspect a one bit per plate version of
tiffsep or tiffsep1 would also hit this, presumably with more than just four
colours if the file uses a DeviceN space.)

-- 
Configure bugmail: http://bugs.ghostscript.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.


More information about the gs-bugs mailing list